Hi guys,
I'd like to come back about a requirement that I think would be handy
(for me) but seems to make general sense.
A user has self read on his own object & memberships but not on the
roles that are assigned in that membership.
Don't you think that this makes sense?
I looked a bit at the code and thought that maybe a modification to
the RoleController could do the trick.
Since I'm not well versed in developing and my knowledge about syncope
is limited I'd like to propose a general idea.
I tried to have a go with it with a dirty hack but I'm unable to
recover the user object in the context from which I can get the
memberships.
This is what I did (added hasRoleMembership method and called in the condition)
//@PreAuthorize("hasRole('ROLE_READ')"
@RequestMapping(method = RequestMethod.GET, value = "/read/{roleId}")
public RoleTO read(@PathVariable("roleId") final Long roleId)
throws NotFoundException, UnauthorizedRoleException {
SyncopeRole role = roleDAO.find(roleId);
if (role == null) {
throw new NotFoundException(String.valueOf(roleId));
}
Set<Long> allowedRoleIds =
EntitlementUtil.getRoleIds(EntitlementUtil.getOwnedEntitlementNames());
if (!allowedRoleIds.contains(role.getId()) &&
!hasRoleMembership(roleId)) {
throw new UnauthorizedRoleException(role.getId());
}
auditManager.audit(Category.role, RoleSubCategory.read, Result.success,
"Successfully read role: " + role.getId());
return roleDataBinder.getRoleTO(role);
}
private boolean hasRoleMembership(long roleId){
SyncopeUser authUser =
userDAO.find(SecurityContextHolder.getContext().getAuthentication().getName());
UserTO user=userDataBinder.getUserTO(authUser);
List<MembershipTO> membershipsTO=user.getMemberships();
Iterator<MembershipTO> membershipIterator= membershipsTO.iterator();
while (membershipIterator.hasNext()){
if (membershipIterator.next().getRoleId()==roleId)
return true;
}
return false;
}
What do you think?
regards
Bob
